I still maintain the CD LPMud driver for Genesis MUD at https://github.com/cotillion/cd-gamedriver. There is not very much activity though since most critical issues have been fixed over the years and the game is very stable.

Awesome!

Infineon chips are used in some smart tachographs in EU. This is likely to get very messy.

Extract those keys and your drivers can ignore all annoying work-time rules and you can just patch the files if you are audited.

Not really, as it is an expansive procedure which needs to be done on every single device.

Very unlikely that this will be done.

My experience is that customers don't really care that much about small amounts of downtime no matter what size you are, people mostly get that unexpected stuff happens as long as you don't get hacked or misplace their data. Customers might complain a bit but seldom leave because of a few hours downtime.

This seems to mostly hold true to developers also, GitHub manages to survive just fine after all.

Depends on your service. 20 second downtime on loading HN? Nobody cares. 20 second downtime on the last play of the Super Bowl - big problems.

For most internet consumers we’re accustomed to poor service so if a page doesn’t load we’ll assume it’s a local problem and try again 20 seconds later, same with buffering, it’s just something that happens occasionally. This is increasing the case for phone calls too. Legacy live tv and radio going silent though is still a major issue, especially on live events.

Sure, but now you're talking about sites with completely different service level objectives, and conversely, different budgets for their hosting. The problem here, to play off of your analogy, is that Netlify is treating every customer, many with SLOs likely less strict than HN as if they are the Super Bowl. This is an assumption that, according to the most recent policy discoverable by looking through their forum posts, is a constraint of their platform, and something they tout as a feature, not a bug.

When users expressed concerns for a similar scenario that the OP experienced on their community forum, Netlify's staff responded with "how likely is this, really?" Only has to happen once to put someone in significant financial harm.

They obviously had no separation at all between customers within the DC though. Which is worrying.

At the moment word is that attackers encrypted Tietoevrys hypervisor platform (Hyper-V, vSphere or KVM not known) which was hosting multiple customers VMs. So attackers breached Tietoevrys management network, not customer networks.

TietoEvry do the same in Norway, where accounts are prefixed with customer name.

Ouch.

Apparently Firefox has "Https First" also but requires the pref dom.security.https_first to be set.

"HTTPS-Only Mode" is obviously best if you can do that.

You'd still need to resist the urge to not press "allow me anyway" and to be honest, even I'd click it knowing the risk (I just want to visit the damn site!). This doesn't solve anything unless the prompt is extremely suspicious (like the prompt showing for Google.com or some other site I know supports HTTPS).

Replying to myself but also, they could easily trick you into clicking some link and exploiting you that way. HTTP isn't the issue here, it's just being exploited so they don't have to get you to click some link.

In all likelihood they'd do that if the less direct/obvious method of transmission didn't work.

Its aggression is related to animals somehow.

- krya på dig katt (cat) - fuck you cat

Björn is also bear in swedish.

There's a difference between Björn (the name) and björn (the animal).

Capitalization gives additional context in this case, if it were in the beginning of the sentence though, then one would hope it contains other clues as well

Netflix works because they move content close to the users. This is done by either having the ISP establish a peering connection directly to Netflix hosted servers or by having the ISPs host "Open Connect Appliances" which cache the most requested content. These appliances are based on FreeBSD.

The AWS egress savings from this setup must be immense.

https://openconnect.netflix.com/

Yup, cloud bandwidth is insanely expensive considering to what you actually pay to get link to your datacenter.

And you pay either by 95th percentile (basically "peak usage") or by whole link, not per megabyte sent

I think those of us who have had to suffer through ClearQuest, Lotus notes etc have an entirely different scale on how bad things can be compared to those who appear to really really hate Jira today. I'm not a fan of Jira but atleast it loads, eventually.

Those things were like 20 years ago ? JIRA is working years old. We’ve developed better more simple issue trackers since, such as GitHub issues and projects. Much simpler.

It is like Google Docs vs Office.

Good for casual users, while at the enterprise level everyone wants a different set of 90% Jira features.

It is no accident that Microsoft is turning GitHub into an ecosystem that combines Azure DevOps with GitHub.

This appears to be some Chinese source with the same info: https://cn-sec.com/archives/853339.html

Looking at Github and uses of SerializationUtils.deserialize this is going to be painful.

You are most likely vulnerable to some extent, protection has to be done by your ISP.

In this case it seems like the attackers targeted an SDK. Subresource integrity would have helped here.

https://developer.mozilla.org/en-US/docs/Web/Security/Subres...

It would not have prevented it, because they could've just as easily attacked the server that serves the HTML instead of the CDN that served the JS.

No, klayswap.com has CAA configured in DNS.

Then it sounds like a misconfiguration after all? Because that would mean they didn't configure CAA for their CDN.

In any case they could've hijacked the IP for the authorative DNS server, but that would at least add some complexity.

Also, this assumes their CA actually did their due diligence and the hackers didn't just fool them into reissuing the certificate to them.

I think the CDN has to configure CAA.

So if your site pulls in js from another site without sub resource integrity, and the other site doesn't have CAA configured you are vulnerable.

It's not enough for everyone involved to have CAA enabled. They need to have CAA enabled and to select a certificate authority that does effective domain ownership validation, which - as the article suggests - means (at minimum) multiple-origin checking of network-based challenge protocols like HTTP-01.

Personally, I think anyone who has a heightened attack risk ought to contemplate a CA that does some form of more thorough validation.

Yes I saw they attacked the sub domain holding the javascript (developers.kakao.com), but could they have also attacked the main domain?

Sub resource integrity wouldn't help if they could have re-routed requests from klayswap.com